Fighting dictionary attacks with Sshutout and Fail2ban

Protection against DoS

SSH has two jails: the one just mentioned and sshd-ddos. This jail is not designed to prevent attempts to guess passwords, but to counter denial-of-service (DoS) attacks that open connections to the SSH daemon without entering a password.The logfile contains messages like this in case of a DoS attack:

sshd: Did not receive identification string from 10.0.0.150

Although you could configure multiple regular expressions per jail, many admins will prefer to assign different ban times for distributed DoS (DDoS) attacks as opposed to failed login attempts. That is, splitting this into the SSH and sshd-ddos categories makes a lot of sense.

The SSH jail is the only one set to enabled = true by default; all other jails – including sshd-ddos – have to be enabled manually.

Protection Scheme

If a user enters the wrong password multiple times, the results are similar to the Sshutout results: An iptables rule is triggered and locks out all connections from the offending computer for the next five minutes (Figure 2).

Protection for other services follows the same pattern (Figure 3). If you have a number of login-protected web pages on your Apache web server, Fail2ban will give you a jail to match,

Buy Linux Magazine

Related content

Users log on to services such as SSH, ftp, SASL, POP3, IMAP, Apache htaccess, and many more using their names and passwords. These popular access mechanisms are a potential target for brute-force attacks. An attentive bouncer will keep dictionary attacks at bay.

Logfiles contain records of what happens on a Linux system and the services it runs. Tools like Logcheck and Logsurfer filter out the most important events for the administrator, and they can even trigger an appropriate reaction automatically.